GDPR – Right to be forgotten

GDPR from the point of view of the consumer

Interestingly from the point of view of the consumer, he will be able to request not only to provide him with information about personal data, but also to remove them from the database of the institution. This is called the right to be forgotten. The condition is that these data are no longer used – and this generates some complications, as sometimes even after the expiration of the agreement between the consumer and the company, personal information is still being traded.

The company, asking the citizen for data, will have to inform about the purpose, scope and time of processing. The concept of “personal data” will in turn be extended to IP addresses and cookie files (“cookies”) collected by the Internet browser. This means that clauses on the use of personal data that customers have to sign will be even more extensive. And regardless of whether someone will want to read them, entrepreneurs need to prepare new legal documents by May 25, 2018, taking into account the increased information obligation.

And if there is a breach of personal data, for example as a result of a hacker attack? The company will have to report this fact to the General Inspector of Personal Data Protection without delay. They will only be 72 hours. This is the situation with which domestic companies have not met before. – Entrepreneurs – outside the telecommunications industry – are not accustomed to reporting their own violations of personal data protection to supervisory authorities. This new obligation requires not only the identification of the existing infringement, but also the preparation of procedures for responding to data protection incidents.

Contrary to what may seem, the data theft is relatively common – except that few exceptions to such matters are not loud. – In the media, we will hear about the leak of data on, for example, hundreds of clients of a bank. In reality, however, the number of cybercrimes committed is very large, but data theft is rarely reported. With the introduction of GDPR, information on even a single, minor infringement must be forwarded to the appropriate authorities

High financial penalties for the lack of GDPR protection

As you can see, the EU law is sharpening – and although it is a tribute to consumers, the specter of high fines hovers over entrepreneurs. Failure to take care of new obligations regarding the protection of personal data can cost the company up to 20 million euros or 4 percent. the annual turnover of the company – whichever is the higher. – Penalties will be proportionate to the scale of the violation. Like the whole of the Regulation, they are common to all Member States and will also apply to public administrations

Limit and control

The system intended for data processing must be carefully encrypted, which minimizes the risk of potential violations. Access rights to the data should exactly correspond to the activities carried out and should not go beyond the necessary scope. In practice, this means, for example, that the person who invoices the system may have access to the full partner or customer accounts they are dealing with, but a balance sheet specialist does not need to, because only the amounts and numbers of accounts are sufficient for summaries. The tool that we use in the company must allow access to the selected area. It is important to disable the view of a specific category of data for a single user, such as the last invoice value field for the person sending the newsletter with information for the customer.

Next, the role of the administrator starts, which is to adjust the rights to the path of data-related processes. However, by choosing and implementing the right IT system, we ensure technical compliance with the requirements of the GDPR and make it easier for the information security administrator to ensure that it is actually compliant with EU regulation.